dwm.exe calling out to the internet

Discussion in 'malware problems & news' started by Searching_ _ _, Sep 7, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    dwm.exe is attempting to access the internet. Is this acceptable?

    Would be nice if the firewall would display the hash of the file or program making the request.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  3. wat0114

    wat0114 Guest

    What O/S are you running, Vista or Win7? To where is it trying to connect? Do you see a remote port, ip address?
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Vista SP2
    It's trying to connect out on a multicast address; 224.0.0.22 igmp
    I'll have to check the block log for any other info.

    Are there any malwares with that behaviour, where they use multicast?

    Edit: Maybe I should disable Toredo?
    Malware Forensics: Investigating and Analyzing Malware Code - Google Books
     
    Last edited: Sep 7, 2010
  5. wat0114

    wat0114 Guest

    I doubt it's anything to worry about as long as it's the legitimate MS process. You could try blocking it and if you see no adverse effects, you could leave it blocked.
     
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I think it is a mistake to think that because it's an MS file name the behavior is OK.

    What is the Desktop Window Manger?
    MSDN @ Microsoft.com
    RDP replicates the functionality of DWM across a network boundary.
    Will disabling RDP be enough to stop DWM trying to connect out?
    Why is DWM trying to connect out without me initiating an RDP event?
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Trust no program even your operating system is a nice mantra. :eek:

    -http://www.indymedia.org.uk/en/2004/10/298702.html

    *removes tin foil from the head*/just kidding :D

    Try the suggestion of wat0114. :)
     
  8. wat0114

    wat0114 Guest

    I stated if it's a legitimate MS process it's probably nothing to worry about. That doesn't mean it can't be controlled if you don't like what it's doing, just as I don't completely like what the legit MS process svchost always does, so I control its oubound comms with the firewall. My suggestion is to simply create a rule to block dwm.exe from all outbound comms, and if that doesn't break anything, then you've accomplished what you set out to do :)
    There might be a way to disable it from within the system settings, but I don't know how that's done, at least not yet.
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    It has been blocked since my first post.

    Just don't feel comfortable after reading a white paper stating that multicast can be used as a hidden communication network across AP's.

    A tinfoil hat offers limited protection so I've tinfoiled the entire room. :shifty::D
     
  10. katio

    katio Guest

  11. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Beck's symptoms are identical to my symptoms and never rejoined the conversation with more research.
    Members didn't offer methods of determining what is causing this behavior outside of stating the firewall was inaccurate in pinpointing the culprit and that the packets were being generated at a very low level.

    If packets are being generated at the I/O level, what can accomplish this?
     
  12. katio

    katio Guest

    Have you tried FileMonitor as mentioned in that thread, they claimed you could find out what process is really requesting the connection.

    And what about time to live? If it's 1 it can't connect to the internet. You could allow connections to only that IP and then see what happens.
     
Loading...
Thread Status:
Not open for further replies.